You can see a very similar example in action in the Network.AWS.CloudFront.SignedCookies.CLI.Sign module which defines the command-line interface for creating signed cookies.

Decoding policy cookies

After you generate a policy cookie and send it to a client, you may later want to parse it back into a Policy value – for example, to determine whether you need to send a new set of cookies to replace an expired policy.

The executable

You can also generate cookies using the command-line interface. It provides two commands:

sign - Given a private key and policy options, produces signed cookies and prints them as HTTP request headers.

decode - Decodes a CloudFront-Policy cookie and prints it in human-readable JSON format.

sign

$ aws-cloudfront-signed-cookies sign --help
Generate signed cookies for AWS CloudFront
Usage: aws-cloudfront-signed-cookies sign --pem-file ARG --key-pair-id ARG
--resource ARG --days ARG
Available options:
--pem-file ARG Location in the filesystem where a .pem file
containing an RSA secret key can be found
--key-pair-id ARG CloudFront key pair ID for the key pair that you are
using to generate signature
--resource ARG URL that the policy will grant access to, optionally
containing asterisks for wildcards
--days ARG Integer number of days until the policy expires
-h,--help Show this help text